Introduction
1. a) What can hackers gain by taking over application programs?
They get the privileges of the application program they take over.
b) What is the most popular way for hackers to take over hosts?
By taking over an application with root privileges.
2. a) What is a buffer?
A temporary storage area in memory.
b) What is a buffer overflow attack?
An attack that writes data longer than the space allocated for it in the buffer.
c) What impacts can buffer overflows have?
The impact of a buffer overflow can range from nothing to the crashing of the server or the ability to execute any command on the server.
d) In a stack overflow, what is overwritten by the overflow?
The return address in a stack is overwritten in a stack overflow.
e) To where does the overwritten return address point?
The overwritten address will point to data in the buffer, which will actually be a program/attack code that will be executed instead of legitimate code.
f) In the IIS IPP buffer overflow attack, what buffer is overflowed?
The host to which the request should go. The host name is replaced with a 420-character string that causes a buffer overflow.
3. Why is patching applications more time consuming than patching operating systems?
There are many more applications compared to only 1 OS, and finding information about application vulnerabilities takes a lot of time.
4. a) Why must you know a server’s role to know how to protect it?
Knowing what a server is meant to do allows you to determine what services must be kept on, and all others can be disallowed.
b) Why is it important to minimize both main applications and subsidiary applications?
The few applications you have, the fewer security risks there will be.
c) Why are security baselines needed for installing applications?
A complex series of actions is needed for any major application. This requires the checklist of a security baseline.
d) Why is it important to minimize permissions for application programs?
Application permissions must be minimized because if a hacker takes over an application, he can take over the entire host if the permissions are too great.
e) Why is application-level authentication superior to operating system authentication?
Application-level authentication is superior because it would require the hacker to not only have an exploit, but also authenticated access to a server (vice just an exploit).
f) Why should cryptographic protections be used?
To prevent eavesdropping by unauthorized people.
5. a) How does a SQL injection attack work?
A SQL injection attack works by manipulating the way database parameters are processed. Malformed parameters are passed via a web interface to be processed by a database. The malformed parameters allow an attacker to extract data, shut down a database, or perform a variety of database functions.
b) What is SQL?
SQL is a query language used to extract, insert, or delete data from a database.
c) What is error-based inference?
Error-based inference is used by attackers to manipulate a database based on the errors returned when commands are submitted.
d) What is the difference between in-band and out-of-band SQL injection?
In-band SQL injection extracts data directly from the database and displays it in a web browser. Out-of-band SQL injection uses malformed statements to extract data through a different application such as e-mail.
e) What is blind SQL injection?
Blind SQL injection uses a series of SQL statements that produce different responses based on true/false questions, or timed responses.
f) How can SQL injection be prevented?
Threats from SQL injection can be mitigated by parameterizing queries, and sanitizing inputs.
6. a) What is a login screen bypass attack?
In a login screen bypass attack, the attacker bypasses the login page by typing a URL for a page beyond the login screen.
b) What is a cross-site scripting (XSS) attack?
An attack in which some input is echoed back in the form of information on a webpage. If a script can be put into the original input, this script will be executed when it is sent back to the user.
c) What is an SQL injection attack?
SQL injection attacks occur when an attacker enters a string that includes the user’s info and another SQL query; when the program enters the input string in the SQL query, it may execute both the user’s and attacker’s query, providing info the attacker should not have (such as bank account routing info).
d) What attitude should programmers have about user input?
Programmers should never trust user input; input should be checked to make sure it does not contain anything a valid user would not enter.
e) What training should programmers who do custom programming have?
Programmers need to be trained in secure programming both in general and for their particular language and application.
7. What risks do webservice and e-commerce service create for corporations?
Attacks can disrupt service, harm a company’s reputation, and expose private information with heavy repercussions to the firm. They can also enable customer fraud against the firm to succeed more effectively.
8. a) Distinguish between WWW service and e-commerce service.
E-commerce adds functionality to webservice.
b) What kinds of external access are needed for e-commerce?
An e-commerce server needs to have network access to a number of systems external to itself, including servers within firms (for order entry, accounting, shipping, and so forth) and servers outside the firm in merchant banks and companies that check credit card numbers for validity. The webmaster or e-commerce master often has no control over the security of other systems.
c) Does the webmaster or e-commerce administrator have control over the security of other servers?
Neither the webmaster or e-commerce administrator have control over the security of other systems outside their purview.
d) Why are custom programs especially vulnerable?
Custom programs offer security through obscurity, but because they are often not programmed securely, hackers have automated tools that can find common exploits (such as buffer overflows) to allow them to attack the application.
9. a) What is website defacement?
Changing the contents of a webpage.
b) Why is it damaging?
It may be embarrassing to the company.
c) In directory access commands and URLs, what does “..” represent?
It means move to the parent of the current directory.
d) What are directory traversal attacks?
Attacks in which a user reaches a directory outside of the WWW root directory and its subdirectories.
e) Create a URL to retrieve the file aurigemma.htm, which is under the rainbow directory on the host www.pukanui.com. The WWW root is three levels below the system’s true root directory, and the rainbow directory that is under the projects directory, which is directly under the root directory. (Hint: Draw a picture.) http://www.pukanui.com/../../projects/rainbow/aurigemma.htm
f) In what two ways have attackers circumvented filtering designed to stop directory traversal attacks?
Hackers have used hexadecimal and Unicode character sets to enter the value for the “..” characters to be executed.
10. a) What software must be patched on an e-commerce server?
The webserver, the e-commerce server, and subsidiary programs must all be up-to-date on their patches.
b) What three other webserver protections were mentioned in the text?
The three other webserver protections mentioned in the text were (1) website vulnerability assessment tools, like Whisker, (2) reading website error logs, (3) using a webserver proxy in front of the webserver.
c) Where is an application proxy firewall placed relative to the webserver?
Application proxy firewalls would be placed in front of the webserver (between the webserver and the border router).
11. a) In staged development, what three servers do companies use?
A development server, a testing server, and a production server.
b) What permissions does the developer have on the development server?
Developers get extensive permissions on the development server.
c) On the testing server?
Developers get no permissions on the testing server.
d) On the production server?
Developers get no permissions on the production server.
e) On what servers does the tester have access permissions?
The tester should only have access to the test servers.
12. a) Why do hackers attack browsers?
Attackers might want to have data stored on the client and because attackers can use a compromised client to attack other systems for which the client has access credentials.
b) What is mobile code?
Mobile code consists of commands written into a webpage that is downloaded when the page is visited.
c) Why is it called mobile code?
It is called mobile code because the code travels from the webpage to the client to execute.
d) What is a client-side script?
A client-side script is code that is written to execute on the client PC, allowing the attacker access to the PC.
e) What is a Java applet?
A Java applet is a small program written in the Java language. The Java applet is downloaded into a webpage.
f) Why is Active-X dangerous?
Active-X is dangerous because it has significant permissions on the machine; if a hacker writes in Active-X, it could compromise the PC easily.
g) How do scripting languages compare to full programming languages?
They are simpler and more limited.
h) Is JavaScript a scripted form of Java?
No.
13. a) Why is it bad to go to a malicious website?
Malicious websites can have attack scripts that automatically load an executable on a PC) This is bad.
b) How can social engineering be used to trick a victim to go to a malicious website?
Hackers can send messages saying something bad (or good) has happened and directs you to a malicious website instead.
c) Why do attackers want to get domain names such as micosoft.com?
Common misspellings of legitimate websites will naturally draw users; once at the site, the malicious websites can download mobile code to attack the PC.
d) Why may malware that allows an attacker to execute a single command on a user’s computer not really be limited to executing a single command?
Malware that allows an attacker to execute a single command may be used to initiate another program that provides much greater PC access (such as a command shell).
e) What may happen on a compromised computer if a user mistypes the host name in a URL?
Mistyping a URL may send a user to a malicious website, where hostile mobile code is waiting to attack your PC.
f) What dangers do cookies create?
Cookies can be used to track a user’s activity, which could violate privacy. Cookies can also hold PII.
14. a) What can users do to enhance browser security?
Ensure patches are installed and upgrade the software when updates are available.
b) Under Internet Options in IE, what can the user do on the security tab?
The user can select the general security settings for general, intranet, trusted, and restricted websites.
c) What are your computer’s settings for the four zones?
Answers will vary.
d) In which tab are cookies controlled?
Cookies are controlled under the Privacy tab.
15. a) Why are HTML bodies in e-mail messages dangerous?
HTML can contain malicious scripts.
b) What is spam?
Spam is unsolicited commercial e-mail.
c) What four problems does spam create?
Spam clogs mailboxes, slows user computers, annoys users, and requires users to spend time deleting the unwanted messages.
d) Why is spam filtering dangerous?
Spam filtering is dangerous because valid e-mail will eventually be affected.
e) For what legal reason should companies filter sexually or racially harassing message content?
Filtering explicit message content shows that the company does not tolerate this type of action and tried to stop it (in case of lawsuit, this may help).
f) What is extrusion prevention?
Preventing certain information from leaving the company.
g) Why is extrusion prevention needed for intellectual property?
It prevents the loss of trade secrets.
h) What is PII, and why must it be prevented from leaving the firm?
PII is Personally Identifiable Information (such as SSN, date of birth, address, etc.) that must be prevented from leaving a firm in order to avoid lawsuits related to identify theft or credit card theft.
16. a) Is encryption widely used in e-mail?
Encryption is not widely used in e-mail because of the difficulties of end-to-end encryption systems.
b) What part of the e-mail process does SSL/TLS usually secure?
SSL/TLS usually only secures the transmission of e-mail from the client to the server.
c) Is this end-to-end security? Explain.
This is not end to end security because unless all other links in the path are encrypted (such as between mail servers, and the POP3/IMAP connection from mail server to end user client application), there is no end-to-end security.
d) What standards provide end-to-end security?
S/MIME and PGP provide end-to-end security.
e) Compare PGP and S/MIME in terms of how applicants learn the true party’s public key.
S/MIME uses the traditional PKI to share keys. In PGP, keys are shared via circles of trust.
f) Describe the advantages and disadvantages of each approach.
Using PKI offers strongest security, but it is labor intensive and can be expensive to get key pairs issued to all participants. PGP is cheaper, but the possibility of misplacing trust and having bogus public key/name pairs is high. Thus, PKI has been used in corporate environments, while PGP is used in person-to-person communications primarily.
17. a) What is VoIP?
Voice over IP. The digitization of voice and its transmission over a data network.
b) Distinguish between IP telephones and soft phones.
IP telephones are telephones that contain everything needed to attach to a VoIP network.
A soft phone is a computer with hardware and software for VoIP.
c) List, in order of appearance at the receiver, the headers and message of a packet carrying voice between phones.
IP header
UDP header
RTP header
Codec byte stream
d) What does RTP add to compensate for the limitations of UDP?
RTP adds sequence numbers (in order delivery) and time stamps (to control jitter).
18. a) Distinguish between transport and signaling.
In transport, data/voice is sent. In signaling, the parameters for the communication channel are determined, configured, and managed.
b) In Figure 8-25, is the packet shown a transport packet or a signaling packet?
The packet shown is a transport packet because it contains the Codec byte stream.
c) What are the two main signaling standards in VoIP?
SIP and H.323
d) What does the registrar server do? (Hint: Don’t say, “It registers things.”)
The registrar server adds the user and his location to the registration database for proxy servers to use to route calls.
e) What type of SIP message does a VoIP phone use when it wants to connect to another VoIP phone?
First the caller’s phone sends a SIP INVITE message to the caller’s own SIP proxy server.
f) How is this message routed to the called VoIP phone?
The caller’s proxy server checks the IP telephone’s registration information, then contacts a proxy server on the destination end. The destination proxy passes the INVITE to the called VoIP phone.
g) Are SIP proxy servers involved during transport transmissions? Explain.
No. SIP proxy servers are only used in signaling.
h) What two types of communication does the media gateway translate between the VoIP network and the PSTN?
It translates between both signaling and transport standards.
19. a) What is eavesdropping?
Listening in on another’s conversations.
b) Why can DoS attacks be successful even if they only increase latency slightly?
By increasing latency, DoS attacks can severely degrade the performance of VoIP systems, making them almost unusable.
c) Why is caller impersonation especially dangerous in VoIP?
VoIP caller impersonations can provide spoofed credentials, making the impersonation seem more realistic.
d) Why are hacking and malware dangerous in VoIP?
As with all applications, hacking and malware can render VoIP completely to the attacker, where they can issue commands, such as SIP BYE, when they want to disrupt service or re-route data.
e) What is toll fraud?
Toll fraud is when someone breaks into a corporate VoIP system to make free long distance calls.
f) What is SPIT?
Spam over IP Telephony.
g) Why is SPIT more disruptive than e-mail SPAM?
Unlike e-mail spam, which you only get when you read e-mail, SPIT causes your phone to ring, annoying you directly.
20. a) What authentication mechanisms are common on IP telephones?
SIP Identity protocols authenticate across second-level domains, increasing authentication between companies.
b) What does SIP Identity ensure?
SIP Identify ensures that traffic is authenticated between two companies holding public/private keys.
c) How can eavesdropping be thwarted?
Eavesdropping can be thwarted by encrypting both transport and signaling traffic.
d) What sound quality problem may encryption create?
Encryption adds a small delay, which may impact performance.
e) Why do firewalls have problems with typical VoIP traffic?
Firewalls don’t like VoIP traffic because the packets are small, there are lots of them, they cannot be appreciably delayed to minimize latency, and they use multiple ports for signaling and transport.
f) For SIP signaling, what port has to be opened on firewalls?
SIP signaling requires port 5060 to be open.
g) Describe firewall port openings for VoIP transport.
Firewall port openings are required for SIP/H.323 messages. Additionally, the firewall must read these messages in order to open the transport ports.
h) Why is NAT traversal problematic?
NAT (1) adds latency to VoIP packets, and (2) VoIP relies on IP addresses between participants; using NAT may break the VoIP protocol being used.
i) How are VLANs useful in VoIP?
Placing VoIP on a separate VLAN makes it difficult for attackers to come through the data side of the network to hack VoIP, and vice versa. It also helps to reduce traffic on the network for the data side.
21. a) What is Skype?
Skype is a VoIP service that currently offers free calling among Skype customers over the Internet and reduced-cost calling to and from Public Switched Telephone Network customers.
b) Why is Skype’s use of proprietary software problematic?
Skype’s use of proprietary software is problematic because Skype uses proprietary software and protocols that have not been studied by security professionals. This causes security professionals to be concerned with the existence of vulnerabilities, backdoors, and other security threats.
c) What problem is there with Skype’s encryption for confidentiality?
The problem with Skype’s encryption for confidentiality is that its method is unknown. Worse yet, Skype controls the encryption keys so that it can read traffic if it wants.
d) Does Skype control who can register a particular person’s name?
No, an attacker can use another person’s name and impersonate them. Skype initial registration is open and uncontrolled.
e) Why do firewalls have a difficult time controlling Skype?
Firewalls have a difficult time controlling Skype because Skype protocol is unknown and changes frequently to avoid analysis. Skype uses its structure to help users communicate through NAT firewalls. This is good for the user but bad for corporate security.
f) Does Skype’s file transfer generally work with antivirus programs?
No, Skype’s file transfer generally does not work with antivirus programs.
g) Overall, what is the big problem with Skype?
Although Skype concerns are theoretical, the fact that Skype cannot be well controlled by corporate security policies makes it unacceptable in many firms.
22. a) In IM, what does a presence server do?
Presence servers allow two users to locate each other.
b) What does a relay server do?
Relay servers have all messages pass through them, allowing filtering and recording.
c) For corporate IM, what are the advantages of using a relay server instead of only a presence server?
Using a relay server allows the company to report IM messages to satisfy legal retention and other compliance regulations.
23. a) What is the Danvers Doctrine?
The general thrust by the IETF to add strong security to all or nearly all of its standards.
b) Distinguish between security in SNMP V1 and security in SNMP V2.
SNMP v1 had no security at all. SNMP v2 introduces community strings in which a shared secret between manager and managed devices was used to authenticate messages. However, the same secret was used on all devices, making it easy to crack and lose control of the secret. Also, the secret is sent in the clear, making it vulnerable to network sniffers.
c) Distinguish between security in SNMP V2 and security in SNMP V3.
SNMP v2 security, consisting of community strings was an improvement over SNMP v1, but still very inadequate. SNMP v3 added individual secrets shared between manager and devices for authentication. V3 also added confidentiality, message integrity and time stamps to guard against replay attacks.
d) What still needs to be done for SNMP security? Future versions of SNMP should include a public-key implementation to provide strongest cryptographic controls for authentication, confidentiality, and message integrity.
1. a) What can hackers gain by taking over application programs?
They get the privileges of the application program they take over.
b) What is the most popular way for hackers to take over hosts?
By taking over an application with root privileges.
2. a) What is a buffer?
A temporary storage area in memory.
b) What is a buffer overflow attack?
An attack that writes data longer than the space allocated for it in the buffer.
c) What impacts can buffer overflows have?
The impact of a buffer overflow can range from nothing to the crashing of the server or the ability to execute any command on the server.
d) In a stack overflow, what is overwritten by the overflow?
The return address in a stack is overwritten in a stack overflow.
e) To where does the overwritten return address point?
The overwritten address will point to data in the buffer, which will actually be a program/attack code that will be executed instead of legitimate code.
f) In the IIS IPP buffer overflow attack, what buffer is overflowed?
The host to which the request should go. The host name is replaced with a 420-character string that causes a buffer overflow.
3. Why is patching applications more time consuming than patching operating systems?
There are many more applications compared to only 1 OS, and finding information about application vulnerabilities takes a lot of time.
4. a) Why must you know a server’s role to know how to protect it?
Knowing what a server is meant to do allows you to determine what services must be kept on, and all others can be disallowed.
b) Why is it important to minimize both main applications and subsidiary applications?
The few applications you have, the fewer security risks there will be.
c) Why are security baselines needed for installing applications?
A complex series of actions is needed for any major application. This requires the checklist of a security baseline.
d) Why is it important to minimize permissions for application programs?
Application permissions must be minimized because if a hacker takes over an application, he can take over the entire host if the permissions are too great.
e) Why is application-level authentication superior to operating system authentication?
Application-level authentication is superior because it would require the hacker to not only have an exploit, but also authenticated access to a server (vice just an exploit).
f) Why should cryptographic protections be used?
To prevent eavesdropping by unauthorized people.
5. a) How does a SQL injection attack work?
A SQL injection attack works by manipulating the way database parameters are processed. Malformed parameters are passed via a web interface to be processed by a database. The malformed parameters allow an attacker to extract data, shut down a database, or perform a variety of database functions.
b) What is SQL?
SQL is a query language used to extract, insert, or delete data from a database.
c) What is error-based inference?
Error-based inference is used by attackers to manipulate a database based on the errors returned when commands are submitted.
d) What is the difference between in-band and out-of-band SQL injection?
In-band SQL injection extracts data directly from the database and displays it in a web browser. Out-of-band SQL injection uses malformed statements to extract data through a different application such as e-mail.
e) What is blind SQL injection?
Blind SQL injection uses a series of SQL statements that produce different responses based on true/false questions, or timed responses.
f) How can SQL injection be prevented?
Threats from SQL injection can be mitigated by parameterizing queries, and sanitizing inputs.
6. a) What is a login screen bypass attack?
In a login screen bypass attack, the attacker bypasses the login page by typing a URL for a page beyond the login screen.
b) What is a cross-site scripting (XSS) attack?
An attack in which some input is echoed back in the form of information on a webpage. If a script can be put into the original input, this script will be executed when it is sent back to the user.
c) What is an SQL injection attack?
SQL injection attacks occur when an attacker enters a string that includes the user’s info and another SQL query; when the program enters the input string in the SQL query, it may execute both the user’s and attacker’s query, providing info the attacker should not have (such as bank account routing info).
d) What attitude should programmers have about user input?
Programmers should never trust user input; input should be checked to make sure it does not contain anything a valid user would not enter.
e) What training should programmers who do custom programming have?
Programmers need to be trained in secure programming both in general and for their particular language and application.
7. What risks do webservice and e-commerce service create for corporations?
Attacks can disrupt service, harm a company’s reputation, and expose private information with heavy repercussions to the firm. They can also enable customer fraud against the firm to succeed more effectively.
8. a) Distinguish between WWW service and e-commerce service.
E-commerce adds functionality to webservice.
b) What kinds of external access are needed for e-commerce?
An e-commerce server needs to have network access to a number of systems external to itself, including servers within firms (for order entry, accounting, shipping, and so forth) and servers outside the firm in merchant banks and companies that check credit card numbers for validity. The webmaster or e-commerce master often has no control over the security of other systems.
c) Does the webmaster or e-commerce administrator have control over the security of other servers?
Neither the webmaster or e-commerce administrator have control over the security of other systems outside their purview.
d) Why are custom programs especially vulnerable?
Custom programs offer security through obscurity, but because they are often not programmed securely, hackers have automated tools that can find common exploits (such as buffer overflows) to allow them to attack the application.
9. a) What is website defacement?
Changing the contents of a webpage.
b) Why is it damaging?
It may be embarrassing to the company.
c) In directory access commands and URLs, what does “..” represent?
It means move to the parent of the current directory.
d) What are directory traversal attacks?
Attacks in which a user reaches a directory outside of the WWW root directory and its subdirectories.
e) Create a URL to retrieve the file aurigemma.htm, which is under the rainbow directory on the host www.pukanui.com. The WWW root is three levels below the system’s true root directory, and the rainbow directory that is under the projects directory, which is directly under the root directory. (Hint: Draw a picture.)
http://www.pukanui.com/../../projects/rainbow/aurigemma.htm
f) In what two ways have attackers circumvented filtering designed to stop directory traversal attacks?
Hackers have used hexadecimal and Unicode character sets to enter the value for the “..” characters to be executed.
10. a) What software must be patched on an e-commerce server?
The webserver, the e-commerce server, and subsidiary programs must all be up-to-date on their patches.
b) What three other webserver protections were mentioned in the text?
The three other webserver protections mentioned in the text were (1) website vulnerability assessment tools, like Whisker, (2) reading website error logs, (3) using a webserver proxy in front of the webserver.
c) Where is an application proxy firewall placed relative to the webserver?
Application proxy firewalls would be placed in front of the webserver (between the webserver and the border router).
11. a) In staged development, what three servers do companies use?
A development server, a testing server, and a production server.
b) What permissions does the developer have on the development server?
Developers get extensive permissions on the development server.
c) On the testing server?
Developers get no permissions on the testing server.
d) On the production server?
Developers get no permissions on the production server.
e) On what servers does the tester have access permissions?
The tester should only have access to the test servers.
12. a) Why do hackers attack browsers?
Attackers might want to have data stored on the client and because attackers can use a compromised client to attack other systems for which the client has access credentials.
b) What is mobile code?
Mobile code consists of commands written into a webpage that is downloaded when the page is visited.
c) Why is it called mobile code?
It is called mobile code because the code travels from the webpage to the client to execute.
d) What is a client-side script?
A client-side script is code that is written to execute on the client PC, allowing the attacker access to the PC.
e) What is a Java applet?
A Java applet is a small program written in the Java language. The Java applet is downloaded into a webpage.
f) Why is Active-X dangerous?
Active-X is dangerous because it has significant permissions on the machine; if a hacker writes in Active-X, it could compromise the PC easily.
g) How do scripting languages compare to full programming languages?
They are simpler and more limited.
h) Is JavaScript a scripted form of Java?
No.
13. a) Why is it bad to go to a malicious website?
Malicious websites can have attack scripts that automatically load an executable on a PC) This is bad.
b) How can social engineering be used to trick a victim to go to a malicious website?
Hackers can send messages saying something bad (or good) has happened and directs you to a malicious website instead.
c) Why do attackers want to get domain names such as micosoft.com?
Common misspellings of legitimate websites will naturally draw users; once at the site, the malicious websites can download mobile code to attack the PC.
d) Why may malware that allows an attacker to execute a single command on a user’s computer not really be limited to executing a single command?
Malware that allows an attacker to execute a single command may be used to initiate another program that provides much greater PC access (such as a command shell).
e) What may happen on a compromised computer if a user mistypes the host name in a URL?
Mistyping a URL may send a user to a malicious website, where hostile mobile code is waiting to attack your PC.
f) What dangers do cookies create?
Cookies can be used to track a user’s activity, which could violate privacy. Cookies can also hold PII.
14. a) What can users do to enhance browser security?
Ensure patches are installed and upgrade the software when updates are available.
b) Under Internet Options in IE, what can the user do on the security tab?
The user can select the general security settings for general, intranet, trusted, and restricted websites.
c) What are your computer’s settings for the four zones?
Answers will vary.
d) In which tab are cookies controlled?
Cookies are controlled under the Privacy tab.
15. a) Why are HTML bodies in e-mail messages dangerous?
HTML can contain malicious scripts.
b) What is spam?
Spam is unsolicited commercial e-mail.
c) What four problems does spam create?
Spam clogs mailboxes, slows user computers, annoys users, and requires users to spend time deleting the unwanted messages.
d) Why is spam filtering dangerous?
Spam filtering is dangerous because valid e-mail will eventually be affected.
e) For what legal reason should companies filter sexually or racially harassing message content?
Filtering explicit message content shows that the company does not tolerate this type of action and tried to stop it (in case of lawsuit, this may help).
f) What is extrusion prevention?
Preventing certain information from leaving the company.
g) Why is extrusion prevention needed for intellectual property?
It prevents the loss of trade secrets.
h) What is PII, and why must it be prevented from leaving the firm?
PII is Personally Identifiable Information (such as SSN, date of birth, address, etc.) that must be prevented from leaving a firm in order to avoid lawsuits related to identify theft or credit card theft.
16. a) Is encryption widely used in e-mail?
Encryption is not widely used in e-mail because of the difficulties of end-to-end encryption systems.
b) What part of the e-mail process does SSL/TLS usually secure?
SSL/TLS usually only secures the transmission of e-mail from the client to the server.
c) Is this end-to-end security? Explain.
This is not end to end security because unless all other links in the path are encrypted (such as between mail servers, and the POP3/IMAP connection from mail server to end user client application), there is no end-to-end security.
d) What standards provide end-to-end security?
S/MIME and PGP provide end-to-end security.
e) Compare PGP and S/MIME in terms of how applicants learn the true party’s public key.
S/MIME uses the traditional PKI to share keys. In PGP, keys are shared via circles of trust.
f) Describe the advantages and disadvantages of each approach.
Using PKI offers strongest security, but it is labor intensive and can be expensive to get key pairs issued to all participants. PGP is cheaper, but the possibility of misplacing trust and having bogus public key/name pairs is high. Thus, PKI has been used in corporate environments, while PGP is used in person-to-person communications primarily.
17. a) What is VoIP?
Voice over IP. The digitization of voice and its transmission over a data network.
b) Distinguish between IP telephones and soft phones.
IP telephones are telephones that contain everything needed to attach to a VoIP network.
A soft phone is a computer with hardware and software for VoIP.
c) List, in order of appearance at the receiver, the headers and message of a packet carrying voice between phones.
- IP header
- UDP header
- RTP header
- Codec byte stream
d) What does RTP add to compensate for the limitations of UDP?RTP adds sequence numbers (in order delivery) and time stamps (to control jitter).
18. a) Distinguish between transport and signaling.
In transport, data/voice is sent. In signaling, the parameters for the communication channel are determined, configured, and managed.
b) In Figure 8-25, is the packet shown a transport packet or a signaling packet?
The packet shown is a transport packet because it contains the Codec byte stream.
c) What are the two main signaling standards in VoIP?
SIP and H.323
d) What does the registrar server do? (Hint: Don’t say, “It registers things.”)
The registrar server adds the user and his location to the registration database for proxy servers to use to route calls.
e) What type of SIP message does a VoIP phone use when it wants to connect to another VoIP phone?
First the caller’s phone sends a SIP INVITE message to the caller’s own SIP proxy server.
f) How is this message routed to the called VoIP phone?
The caller’s proxy server checks the IP telephone’s registration information, then contacts a proxy server on the destination end. The destination proxy passes the INVITE to the called VoIP phone.
g) Are SIP proxy servers involved during transport transmissions? Explain.
No. SIP proxy servers are only used in signaling.
h) What two types of communication does the media gateway translate between the VoIP network and the PSTN?
It translates between both signaling and transport standards.
19. a) What is eavesdropping?
Listening in on another’s conversations.
b) Why can DoS attacks be successful even if they only increase latency slightly?
By increasing latency, DoS attacks can severely degrade the performance of VoIP systems, making them almost unusable.
c) Why is caller impersonation especially dangerous in VoIP?
VoIP caller impersonations can provide spoofed credentials, making the impersonation seem more realistic.
d) Why are hacking and malware dangerous in VoIP?
As with all applications, hacking and malware can render VoIP completely to the attacker, where they can issue commands, such as SIP BYE, when they want to disrupt service or re-route data.
e) What is toll fraud?
Toll fraud is when someone breaks into a corporate VoIP system to make free long distance calls.
f) What is SPIT?
Spam over IP Telephony.
g) Why is SPIT more disruptive than e-mail SPAM?
Unlike e-mail spam, which you only get when you read e-mail, SPIT causes your phone to ring, annoying you directly.
20. a) What authentication mechanisms are common on IP telephones?
SIP Identity protocols authenticate across second-level domains, increasing authentication between companies.
b) What does SIP Identity ensure?
SIP Identify ensures that traffic is authenticated between two companies holding public/private keys.
c) How can eavesdropping be thwarted?
Eavesdropping can be thwarted by encrypting both transport and signaling traffic.
d) What sound quality problem may encryption create?
Encryption adds a small delay, which may impact performance.
e) Why do firewalls have problems with typical VoIP traffic?
Firewalls don’t like VoIP traffic because the packets are small, there are lots of them, they cannot be appreciably delayed to minimize latency, and they use multiple ports for signaling and transport.
f) For SIP signaling, what port has to be opened on firewalls?
SIP signaling requires port 5060 to be open.
g) Describe firewall port openings for VoIP transport.
Firewall port openings are required for SIP/H.323 messages. Additionally, the firewall must read these messages in order to open the transport ports.
h) Why is NAT traversal problematic?
NAT (1) adds latency to VoIP packets, and (2) VoIP relies on IP addresses between participants; using NAT may break the VoIP protocol being used.
i) How are VLANs useful in VoIP?
Placing VoIP on a separate VLAN makes it difficult for attackers to come through the data side of the network to hack VoIP, and vice versa. It also helps to reduce traffic on the network for the data side.
21. a) What is Skype?
Skype is a VoIP service that currently offers free calling among Skype customers over the Internet and reduced-cost calling to and from Public Switched Telephone Network customers.
b) Why is Skype’s use of proprietary software problematic?
Skype’s use of proprietary software is problematic because Skype uses proprietary software and protocols that have not been studied by security professionals. This causes security professionals to be concerned with the existence of vulnerabilities, backdoors, and other security threats.
c) What problem is there with Skype’s encryption for confidentiality?
The problem with Skype’s encryption for confidentiality is that its method is unknown. Worse yet, Skype controls the encryption keys so that it can read traffic if it wants.
d) Does Skype control who can register a particular person’s name?
No, an attacker can use another person’s name and impersonate them. Skype initial registration is open and uncontrolled.
e) Why do firewalls have a difficult time controlling Skype?
Firewalls have a difficult time controlling Skype because Skype protocol is unknown and changes frequently to avoid analysis. Skype uses its structure to help users communicate through NAT firewalls. This is good for the user but bad for corporate security.
f) Does Skype’s file transfer generally work with antivirus programs?
No, Skype’s file transfer generally does not work with antivirus programs.
g) Overall, what is the big problem with Skype?
Although Skype concerns are theoretical, the fact that Skype cannot be well controlled by corporate security policies makes it unacceptable in many firms.
22. a) In IM, what does a presence server do?
Presence servers allow two users to locate each other.
b) What does a relay server do?
Relay servers have all messages pass through them, allowing filtering and recording.
c) For corporate IM, what are the advantages of using a relay server instead of only a presence server?
Using a relay server allows the company to report IM messages to satisfy legal retention and other compliance regulations.
23. a) What is the Danvers Doctrine?
The general thrust by the IETF to add strong security to all or nearly all of its standards.
b) Distinguish between security in SNMP V1 and security in SNMP V2.
SNMP v1 had no security at all. SNMP v2 introduces community strings in which a shared secret between manager and managed devices was used to authenticate messages. However, the same secret was used on all devices, making it easy to crack and lose control of the secret. Also, the secret is sent in the clear, making it vulnerable to network sniffers.
c) Distinguish between security in SNMP V2 and security in SNMP V3.
SNMP v2 security, consisting of community strings was an improvement over SNMP v1, but still very inadequate. SNMP v3 added individual secrets shared between manager and devices for authentication. V3 also added confidentiality, message integrity and time stamps to guard against replay attacks.
d) What still needs to be done for SNMP security?
Future versions of SNMP should include a public-key implementation to provide strongest cryptographic controls for authentication, confidentiality, and message integrity.